Unconditionally Secure Quantum Bit Commitment* 

Horace P. Yuer0 

Department of Electrical and Computer Engineering, Department of Physics and Astronomy, 
Northwestern University, Evanston, IL 60208-3118, USA 

The "impossibility proof" on unconditionally secure quantum bit commitment is examined. It is 
shown that the possibility of juxtaposing quantum and classical randomness has not been properly 
taken into account. A specific protocol that beats entanglement cheating with entanglement is 
proved to be unconditionally secure. 
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Bit commitment is a kind of a cryptographic protocol 
that can serve as a building block to achieve various cryp- 
tographic objectives, such as user authentication. There 
is a nearly universal acceptance of the general impossibil- 
ity of secure quantum bit commitment (QBC), taken to 
be a consequence of the Einstein-Podolsky-Rosen (EPR) 
type entanglement cheating which supposedly rules out 
QBC and other quantum protocols that have been pro- 
posed for various cryptographic objectives. In a bit 
commitment scheme, one party, Adam, provides another 
party, Babe, with a piece of evidence that he has chosen 
a bit b (0 or 1) which is committed to her. Later, Adam 
would open the commitment by revealing the bit b to 
Babe and convincing her that it is indeed the committed 
bit with the evidence in her possession and whatever fur- 
ther evidence Adam then provides, which she can verify. 
The usual concrete example is for Adam to write down 
the bit on a piece of paper, which is then locked in a safe 
to be given to Babe, while keeping for himself the safe 
key that can be presented later to open the commitment. 
The scheme should be binding, i.e., after Babe receives 
her evidence corresponding to a given bit value, Adam 
should not be able to open a different one and convince 
Babe to accept it. It should also be concealing, i.e., Babe 
should not be able to tell from her evidence what the bit 
b is. Otherwise, either Adam or Babe would be able to 
cheat successfully. 

In standard cryptography, secure bit commitment is to 
be achieved either through a trusted third party, or by 
invoking an unproved assumption concerning the com- 
plexity of certain computational problems. By utilizing 
quantum effects, specifically the intrinsic uncertainty of 
a quantum state, various QBC schemes not involving a 
third party have been proposed to be unconditionally 
secure (US), in the sense that neither Adam nor Babe 
could cheat with any significant probability of success 
as a matter of physical laws. In 1995-1996, a suppos- 
edly general proof of the impossibility of unconditionally 
secure QBC, and the insecurity of previously proposed 
protocols, were presented Henceforth it has been 
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generally accepted that secure QBC and related objec- 
tives are impossible as a matter of principle 

There is basically just one impossibility proof (IP), 
which gives the EPR attacks for the cases of equal and 
unequal density operators that Babe has for the two dif- 
ferent bit values. The proof purports to show that if 
Babe's successful cheating probability Pf is close to the 
value 1/2, which is obtainable from pure guessing of the 
bit value, then Adam's successful cheating probability 
P^ is close to the perfect value 1 . The impossibility proof 
describes the EPR attack on a specific type of proto- 
cols, and then argues that all possible QBC protocols are 
of this type. Since there is no mathematical characteri- 
zation of all possible QBC protocols - no mathematical 
definition of a QBC protocol exists with the justification 
that it includes all protocols that would achieve bit com- 
mitment - a priori there can be no general impossibility 
proof. A general analysis of the situation is provided in 
|12|. In this paper, we pinpoint the gaps in the IP in- 
volving quantum versus classical randomness that make 
possible a relatively simple QBC protocol that utilizes 
classical random numbers generated in any usual way. 
This particular protocol depends critically on verif ying 
split entangled pairs used as anonymous states 0, Il4| 
which Babe first transmitted to Adam in a two-stage pro- 
tocol, thus beating entanglement with entanglement |l6j| . 

The impossibility proof, in its claimed generality, has 
never been systematically spelled out in one place, but 
the essential ideas that constitute this proof are gener- 
ally agreed upon 0j _ E3- The formulation and the proof 
can be cast as follows. Adam and Babe have available 
to them two-way quantum communications that termi- 
nate in a finite number of exchanges, during which either 
party can perform any operation allowed by the laws of 
quantum physics, all processes ideally accomplished with 
no imperfection of any kind. During these exchanges, 
Adam would have committed a bit with associated evi- 
dence to Babe. It is argued that, at the end of the com- 
mitment phase, there is an entangled pure state |$b)i 
b G {0, 1}, shared between Adam who possesses state 
space Tt , and Babe who possesses H B . For example, 
if Adam sends Babe one of M possible states {|</>t>i)} for 
bit b with probability p^i , then 

|*b) = J2Vm\ei)\<t>bi) (1) 

i 

with orthonormal |e^) € H A and known \<f>hi) £ H B . 
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Adam would open by making a measurement on Tt A , 
say {|ej)}, communicating to Babe his result %q and b; 
then Babe would verify by measuring the corresponding 
projector |^bi )(^bi 1 011 7~L B , accepting as correct only 
the result 1. More generally, one may consider the whole 
|$b) °f O as the state corresponding to the bit b, with 
Adam sending H A to Babe upon opening, so she can 
verify by projection measurement on |$b)($b|. 

Classical random numbers are routinely used in classi- 
cal cryptographic protocols, and so must be allowed in a 
quantum protocol. In the IP, they are handled as follows. 
When classical random numbers known only to one party 
are used in the commitment, they are to be replaced by 
corresponding quantum state purification. The commit- 
ment of \4>bi) with probability pt,i in is, in fact, an 
example of such purification. Generally, for any random 
k used by Babe, it is argued that from the doctrine of 
the "Church of the Larger Hilbert Space" |9| , it is to be 
replaced by the purification \^f) in TL B ® Ti B , 

i*>=£v^*>i/*>, (2) 

where \ipk) G T~t B and the \fk)' s are complete orthonor- 
mal in H B kept by Babe while Ti c would be sent to 
Adam. With such purification, it is claimed that any 
protocol involving classical secret parameters would be- 
come quantum-mechanically determinate, i.e., the shared 
state |$b) at the end of commitment is completely known 
to both parties. This means that both {X k } and {|/fc)} 
are taken to be known exactly to both Babe and Adam. 
The IP assumes that Babe is honest (and Adam is also 
honest in a multi-stage protocol 0,01,0) in using the 
agreed upon {A&} and {|/fc)}, and then claims that un- 
conditional security is impossible. We will retain this 
assumption in this paper to show that the IP reasoning 
is incorrect. However, US QBC is possible even when 
this assumption is dropped by using a cheat-testing pro- 
cedure 0. 

In the purification (2), exactly which orthonormal 
{|/fe)} is used does not affect the anonymous nature of 
{\tpk}}- Why then does {|/fe)} have to be agreed upon 
and known to Adam? This issue is not addressed in the 
IP. Clearly, a choice from a set of possible {\f l k )},l € 
{1, • • • , L} with a priori probabilities {p 1 }, both openly 
known, can be picked secretly by Babe using a classical 
random number generator for each transmission of 
If the protcol is concealing for every I, Adam has no right 
to demand the knowledge of I. On the other hand, the 
IP may not go through as {|/fc)} or the total 

|$b) = VPbi^k\ e i)\fk)\<Pbik) (3) 
ik 

is not known to Adam. This is the anonymous state 
idea for building US QBC protocols. It should 
be noted that if Babe, e.g., picks {(V'fe)} by throwing 
a die with probabilities {A/;}, she herself would not be 
able to tell what the {|/fc)} is. Thus, physically, it is 



totally unreasonable to assume that Adam knows the 
{|/fe)} in an anonymous state protocol. Similarly, as just 
noted, Babe may just send a classically randomly cho- 
sen {IV'fe)} so long as the protocol is concealing for every 
k. As it turns out |L|, if the protocol is perfectly con- 
cealing (P B = 1/2), Adam's cheating transformation U A 
on U A that brings |$ ) to |$i> = U A ® I B \$ ) is inde- 
pendent of or the specific \ipk)i under either of 
the following conditions: (a) Babe verifies by first mea- 
suring {|/fe)} and then checking or (b) Adam's fa- 
dependent commitment action does not change the com- 
posite index k to get one unknown state to another un- 
known state for him. One way, among others, to show 
this is to use the result in 0] that explicitly determines 
U A in terms of |<I>b) of (1) or (3), which can be achieved 
by a simple matrix transformation argument [l5j|. Let 
Ua = A# = ^m(<h.i\<hi),\M = (AAt)Va. 
Then 00 

AU = |A|. (4) 

Generalization to e-concealing (P B = 1/2 + e) protocols 
of this behavior can be expected. 

However, a perfectly concealing US protocol may be 
obtained from the use of (2) with \ij} k ) being an entangled 
state split between Adam and Babe during commitment 
with Adam's b-dependent commitment action changing 
the composite index fc, while verification is carried out on 
the total entangled \ipk}- Such a split entangled state by 
itself does not lead to a binding protocol for known} |/&)}, 
but together with the use of a secretly chosen \f l k ) as de- 
scribed above, Adam would not be able to cheat perfectly 
(P A = 1). Thus, an e-binding protocol for any e > is 
obtained in a sufficiently long n-sequence in the standard 
fashion 3] . In the following, we describe the specific pro- 
tocol (which we call QBC4) that achieves unconditional 
security in the above fashion. 

Let \mj)j, j € {/i,^}, mj £ {1,2}, be two openly 
known orthonormal qubit states, (1|2) = 0, for each of 
the two possible j. When there is no ambiguity, we would 
write \m,j)j simply as \m)j to simplify notation. Let Babe 
prepare two states 

l^> = 4El TO >^. ( 5 ) 

where \m)j € Hf a , m € {1,2}, and {\g m )j\m = 1,2} 
form an orthonormal basis in T~tfp for each j S v}, 
with \^j) 6 T~Cfa®'Hfp on two qubits for each j. We have 
skipped one subscript j in \g mj )j as in \m)j to simplify 
notation. Let H B = H B a <8> H B Q , H B = H B p <g) H B p , 

n B = n B ®n B . 

Babe keeps Tt B and sends the ordered pair of qubits 
Tt B to Adam. Adam applies the following transformation 
on Hf a separately for each j: becomes € H A £g> 
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where i G {1,2,3,4}, {|e,)j} complete orthonormal in 
Hf, and Vi are four unitary qubit operators given by /, 
er x , —ioy, a z in terms of the Pauli spin operators when |1) 
and 1 2) lie on the qubit z-axis. Eq. © can be obtained 
by the unitary transformation (e, \®Vi on Ti' 4 ® 

Ttf a with initial state |^) G H A that has (ei|^u)j = \- 
To commit b = 0, Adam sends back H B a <8> in the 
original order, and he switches them to TL B a <g> T~t B a to 
commit b = 1. He opens by announcing b, the order of 
the two Hf a he committed, and submitting the ordered 
qubit pair 7i A = H A ® H A . Babe verifies by measuring 
the corresponding projections to |$ M )|<I>„) of ©. The 
general situation is depicted in Fig. 1. 

It is easy to verify by tracing over 7i A that for ei- 
ther b, p B = pf = I B /16 on 7i B , for any orthonormal 
{\g m }j}- If Babe entangles over the possible choices of 
such {\g m )j} via {|/fe)}, a simple calculation shows that 
perfect concealing p BC — pf c on TL B ®TL C is maintained, 
where H c is the space Babe used to carry out such en- 
tanglement. Similarly, pefect concealing is maintained 
with further entanglement of {|/^.)} with {p 1 }. This hap- 
pens because the V, operations by Adam totally disen- 
tangle the state on H B <8> H B ® H into a product state 
I B /A® p BC for either b, and there is no identity that 
individuates a qubit by itself, that is not entangled or 
correlated to another. 

Intuitively, we intend to guarantee binding by the fact 
that H B p = H B p <g> H B p in Babe's possession cannot 
be switched to H B p ® Ti B p by operating on Ti. A (g) H B 
alone. However, this is possible if the two orthonormal 
sets {\g m )j} are known. Indeed, this is the content of 
the impossibility proof |18|. Thus, to guarantee security, 
Babe needs to employ different choices of {\gm)j} with 
different bases indexed by k' . She may employ a fixed 
probability distribution {pk'j} for each j, and entangle 
these via orthonormal {\g k ad infinitum. This pos- 
sible chain of purifications has to stop somewhere, and 
we simply stop it at Tt B without Ji c . As we have seen, 
this does not affect perfect concealing so that Babe is 
free to choose any orthonormal {\g m )j}- In the notation 
of (2), the effective {\ip k }} in this case is | de- 
termined by {|<7m)}j with further entanglement to \ fk) of 
(2) described by Tt c above. In the notation of (2), k is 
the ordered triple (jj,,v,k') for fixed It is clearly 

unreasonable for Adam to demand such knowledge, as 
discussed above and codified in the Secrecy Principle of 
Ref. 0| . This possibility is neglected in the impossibility 
proof. 

To see exactly how binding is obtained in the present 
situation, note that the perfect cheating transformation 
U A is determined by Eq. (4), which is unique up to a 
phase factor in this nondegenerate situation. It depends 
on {|ffm)j} in the present case with state-space switching, 
i.e. fi, ^-switching where {/i, j/} is part of the composite 
index k, in contrast to merely (g m \gm'} = $mm', i.e., 
no dependence on the actual {|<? m )} in the case without 



switching in the absence of j. Thus, Adam cannot cheat 
perfectly. Note that the generalized IP result from 0] 
does not apply here because Adam's b-dependcnt com- 
mitment action re-arranges the p, v part of the composite 
index k of (2), which in turn demands entanglement or 
correlation from Babe in order that she can verify such 
re-arrangement. On the other hand, quantum entangle- 
ment instead of classical correlation is also needed here 
- Babe cannot verify by first measuring {|m)j} because 
Adam would be able to determine the \m)j with a mea- 
surement if he knows that is the way Babe would verify. 
Thus, we are indeed beating entanglement with entangle- 
ment. On the other hand, Adam's entanglement is not 
essential. As usual in QBC protocols, the whole proce- 
dure works the same if Adam chooses the Vi on TC B a and 
H B a classically and opens by telling Babe his choice. 



We have assumed as usual that Adam opens b = 
perfectly. Let pa < 1 be Adam's optimum probability of 
cheating for a given choice of {\gj n )j} and {pk'j}, taking 
into account also all his other obvious imperfect cheat- 
ing possibilities, such as simply announcing a different b. 
We have thus shown that the formulation and the rea- 
soning of the impossibility proof break down already in 
this simple pair |$ M )|<i>„) situation. 



When b = pefect opening condition is relaxed, it 
is clear that Adam still cannot cheat perfectly, but it is 
possible that the overall successful opening probability 
(honest plus cheating) may be improved. By continuity 
it can be seen that Adam's optimum cheating probability 
P A is arbitrarily close to pa = 5 if the b = opening 
probability is arbitrarily close to 1, the case of interest. 



Protocol QBC4 is obtained when the above proto- 
col, to be called QBC4p, is extended to a sequence of 
{|*n M >|*n^)}, n e {1, ...,N}, each of the form ©, 
with \g nm )j G H B jp, \m n )j G 7if i/3 , etc. Babe should 
send Adam {H 3 ^ ®'H B va } and Adam should commit to 
Babe these spaces for all p after he entangles them with 
<8) 7~l A v using the Vi operations, permuting each pair 
for b = 1. He opens by announcing b and the state of 
the qubits in each H B a and submitting {Tt A }, with Babe 
verifyng \& n v) G TL A ®Ti B after possible rearrange- 
ment for each n. Since there is no new entanglement 
possibility for Adam, the protocol is perfectly concealing 
with P A = p n A going to zero exponentially in N. Thus, 
QBC4 is perfectly concealing and e-binding for any e > 
by letting be large. We summarize our perfectly con- 
cealing and e-binding protocol: 
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PROTOCOL QBC4 

(i) Babe sends Adam N ordered pairs ® 
7~(-nva} °f qubit pairs, n € {1, . . . , iV}, which are 
entangled to {Tinag ®T~Cnv0} m her possession in 
states Ivfrifi) l^ni/) of the form (JSJ, with indepen- 
dent random choices of {\gm)j} with probability 
{Pk'j}- 

(ii) To commit b, Adam applies, for each n, 
J2i \ ei ) ( ei I ® ^ on ® Wf a , resulting in a state 
|$nn) |$ni/} given via the form (|HJ, and sends 
{T^nct} to Babe as evidence for b = 0, while 
switching the order ot each Ti.n^ a <8> 7~Lnva f° r 
b 1. 

(iii) Adam opens by announcing b, the order of the 
qubits in each Una, an d submitting {Ttn}. Babe 
verifies by projective measurements of {|3?n/i)}, 
{|$„„}}, for all n. 



quantum bit commitment opens up the possibility of 
many cryptographic functions, including secure multi- 
party computation. It would be of interest to develop 
practically feasible secure QBC protocols ^2 f° r such 
applications. 
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